Summary:A New Zealand security consultant has used a man-in-the-middle proxy to mop up all SSL traffic related to the App Store, updates, iCloud data, and traffic from apps that use certificate pining, such as Twitter.

"I've confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks," Cortesi wrote.

"Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured."

Cortesi said that it collects iCloud data, including KeyChain enrolment and updates, data from the Calendar application, and traffic from apps that use certificate pining, such as Twitter.

"It's difficult to overstate the seriousness of this issue," he wrote. "With a tool like mitmproxy in the right position, an attacker can intercept, view, and modify nearly all sensitive traffic."

Speaking to ZDNet, Cortesi said that although putting together the exploit from public information available is not trivial, it took him less than a day to do so.

"This is a critical issue that could be very valuable in the wrong hands, so I'm sure that others are working on it as we speak."

"I think there's quite a good chance that I wasn't the first, so it's safest to assume that this is being actively exploited in the wild. Of course, it's also likely that intelligence agencies have been onto this issue for some time."

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.